Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 152
Perfect Forward Secrecy (PFS) with key and identity protection.
With PFS, the compromise (exposure) of one key exposes only the data
protected by that key.
IKE Automatic Re-keying
The IKE protocol also allows HP-UX IPSec to dynamically negotiate new
IPsec keys rather than exposing the same key for long periods. You can
configure key lifetimes based on time or number of bytes sent.
Manual Keys
Manual keys are an alternative to IKE. Instead of using IKE to
dynamically generate and distribute cryptography keys for ESP and AH,
the cryptography keys are static and manually distributed using an
out-of-band key exchange. Because manual keys are static, using them is
less secure than using IKE. Manual keys are typically used only when
the remote system does not support IKE, such as a Mobile IPv6 node that
does not support IKE.
Summary
This section contains a list of the key IPsec protocol terms and concepts.
ESP
The ESP protocol encrypts and authenticates IP data using shared
cryptography keys.
AH
The AH protocol authenticates IP data and the static fields of the IP
header using shared cryptography keys.
Transport Mode and Tunnel Mode
ESP and AH can be used in transport mode or tunnel mode. In
transport mode, the ESP or AH header is inserted after the IP
header. In tunnel mode, IPsec encapsulates the original IP packet in
a new IP packet, and IPsec inserts the ESP or AH header in front of
the original IP header.
IKE